Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate IPS



Im very new to FG and would like to ask you guys..


1. is it possible to use IPS with certificate inspection (and not deep inspection) and if so what im I losing using just cert inspection.


2. Should i use IPSon every policy?





Since you are new to Fortigate, I would suggest checking this KB which describes best practices when it comes to the IPS:
Without deep inspection, do not expect the IPS to detect the vulnerabilities, as they might be encrypted(with TLS for example), and without deep inspection you`ll not be able to check the payload of the packet in order to determine if the packet/traffic is matching the restrictions which are configured on the IPS profile.



Contributor II

Just to add to this, this is the reason to implement WAF (web application firewall) for those internal web applications you are trying to protect. Since you cannot implement your certificate needed for DPI to everyone on the Internet, you can however, implement it on a WAF to decrypt that traffic for mitigation before it hits your internal web servers. 


In regards to your second question...maybe. Intrusion is typically an inbound/ingress rule (and the need to apply a IPS ingress rule to all policies depend on what you are trying to protect inbound); however, one item that can be applied to an IPS rule is the blocking of malicious URLs and Outgoing connections to Botnet sites. I use this for traffic egressing my network to "all" destinations for example, but not for my more granular specific trusted destination networks/hosts on the Internet. So the same logic can also be used for your ingress rules too. If you have a trusted network/host on the Internet for some reason or another, then maybe you don't need to apply a IPS rule for that policy...but again, maybe.



> 1. is it possible to use IPS with certificate inspection (and not deep inspection)


> and if so what im I losing using just cert inspection.

As mentioned by aahmadzada the FortiGate might not be able to scan all content if it is TLS encrypted.
Some attacks can be detected with certificate inspection but not all of them.
Many signatures require deep inspection to decrypt the traffic and inspect the actual payload. Those attacks will not be detected with certificate inspection.

> 2. Should i use IPSon every policy?

No, you shouldn't simply due to performance reasons.
Depending on the size of your device and the type/amount of CPU cores you can easily saturate the CPUs with scanning tasks.
You can of course scan all traffic with IPS for better security and monitor the CPU usage i.e. with "diag sys top".
If there is any IPS process listed with a higher CPU load, then the scanning is likely too much and should be reduced.


New Contributor

So if i have user lan to server lan policy and a server lan to user lan polocy, I should enable ips on the two?


I like the idea of having your servers protected from both external and internal users. This will give you maximal security, but also be mindful of the work it takes to maintain that. This is why those IPS sensors need to be customized down to your environment (what are your servers' serving). Monitor and testing will have to be done to weed out false positives as others have mentioned, along with making sure your firewall can handle the added processing burden as well. In regards to your server to user lan policy, are you concerned that your users/devices on your server LAN will attack your users LAN? Not saying that is outside the realm of possibility, but I would be more prone to use those resources to protect clients from the Internet as I trust my server LAN, if that makes sense.


In essence, you are given a finite amount of processing resources and you have to determine what's more important to protect with those resources. Using those resources on a Server LAN to User LAN policy would be "low man on the totem pole" for me as they say....if needed at all.